SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 75

changes.mady.by.user Fred Long

Saved on

compared with

New Version 76

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added code examples using string properties

...

In general, for a particular escape character of the form \X, the equivalent Java representation is

Code Block
\\X

Noncompliant Code Example (String Literal)

This noncompliant code example defines a method splitWords() that finds matches between the string literal {{WORDS}} and (WORDS) and the input sequence. It is expected that WORDS would hold the escape sequence for matching a word boundary. However, the Java compiler treats the "\b" literal as a Java escape sequence, and the string WORDS silently compiles to a backspace character.

Code Block
bgColor#FFCCCC
public class BadSplitterSplitter {
  private final String WORDS = "\b"; // Fails interpreted as backspace, fails to split on word boundaries

  public String[] splitWords(String input){
    Pattern pattern = Pattern.compile(WORDS);
    String[] input_array = pattern.split(input);
    return input_array;
  }
}

Compliant Solution (String Literal)

This compliant solution shows the correctly escaped value of the string literal WORDS that results in a regular expression designed to split on word boundaries.

Code Block
bgColor#ccccff
public class GoodSplitterSplitter {
  private final String WORDS = "\\b"; // Allows splitting interpreted as two chars, '\' and \b'. Correctly splits on word boundaries

  public String[] split(String input){
    Pattern pattern = Pattern.compile(WORDS);
    String[] input_array = pattern.split(input);
    return input_array;
  }
}

Noncompliant Code Example (String Property)

This noncompliant code example uses the same method splitWords(). This time the WORDS string is loaded from an external properties file.

Code Block
public class Splitter {
  private final String WORDS;
 
  public Splitter() throws IOException {
    Properties properties = new Properties();
    properties.load(new FileInputStream("splitter.properties"));
    WORDS = properties.getProperty("WORDS");
  }

  public String[] split(String input){
    Pattern pattern = Pattern.compile(WORDS);
    String[] input_array = pattern.split(input);
    return input_array;
  }
}

In the properties file, the WORD property is once again incorrectly specified as \b. This is read by the Properties.load() method as a single character b, which causes the split() method to split strings along the letter b.

Code Block
bgColor#FFCCCC
WORDS: \b

Compliant Solution (String Property)

This compliant solution shows the correctly escaped value of the WORDS property.

Code Block
bgColor#ccccff
WORDS: \\b

Applicability

Incorrect use of escape characters in string literals inputs can result in misinterpretation and potential corruption of data.

...